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Abstract 

U 1 The electrical power network is a critical infrastructure in today's society, so its safe and reliable operation is of major concern. 
State estimators are commonly used in power networks, for example, to detect faulty equipment and to optimally route power 
flows. The estimators are often located in control centers, to which large numbers of measurements are sent over unencrypted 
• communication channels. Therefore cyber security for state estimators becomes an important issue. In this paper we analyze 
i^h the cyber security of state estimators in supervisory control and data acquisition (SCADA) for energy management systems 
(EMS) operating the power network. Current EMS state estimation algorithms have bad data detection (BDD) schemes to 

S detect outliers in the measurement data. Such schemes are based on high measurement redundancy. Although these methods 
may detect a set of basic cyber attacks, they may fail in the presence of an intelligent attacker. We explore the latter by 
considering scenarios where stealthy deception attacks are performed by sending false information to the control center. We 
I begin by presenting a recent framework that characterizes the attack as an optimization problem with the objective specified 
through a security metric and constraints corresponding to the attack cost. The framework is used to conduct realistic 
qq experiments on a state-of-the-art SCADA EMS software for a power network example with 14 substations, 27 buses, and 40 
branches. The results indicate how state estimators for power networks can be made more resilient to cyber security attacks. 
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1 Introduction 

^ Examples of critical infrastructures in our society are the power, the gas and the water supply networks. These 
. — i infrastructures are operated by means of complex supervisory control and data acquisition (SCADA) systems, 
which transmit information through wide and local area networks to a control center. Because of this fact, critical 
5-j infrastructures are vulnerable to cyber attacks, see [1,2]. For a more recent example that also received considerable 
media attention, see [3]. 



SCADA systems for power networks are complemented by a set of application specific software, usually called 
energy management systems (EMS). Modern EMS provide information support for a variety of applications related 
to power network monitoring and control. The power network state estimator (SE) is an on-line application which 
uses redundant measurements and a network model to provide the EMS with an accurate state estimate at all 
times. The SE has become an integral tool for EMS, for instance for contingency analysis (CA) which, based on the 
state estimate, identifies the most severe consequences in case of hypothetical equipment outages. SCADA systems 
collect measurement data from remote terminal units (RTUs) installed in various substations, and relay aggregated 
measurements to the central master station located at the control center. A simple schematic picture of such a 
system is shown in Fig. 1, with measurements denoted by z. Several cyber attacks on SCADA systems operating 
power networks have been reported, and major blackouts, such as the August 2003 Northeast U.S. blackout, are due 



* This work was supported in part by the European Commission through the VIKING project, the Swedish Research Council, 
the Swedish Foundation for Strategic Research, and the Knut and Alice Wallenberg Foundation. 




State 
Estimator 


X 






Contingency 
Analysis 



Bad Data 
Detection 



Control Center 
Alarm! 



Optimal 
Power Flow 



Operator 



Fig. 1. The state estimator under a cyber attack 

to the misuse of the SCADA systems, see [4]. As discussed in [1], there are also several vulnerabilities in the SCADA 
system architecture, including the direct tampering of RTUs, communication links from RTUs to the control center, 
and the IT software and databases in the control center. 



Our work analyzes the cyber security of the SE in the SCADA system of a power network. In current implementations 
of SE algorithms, there are bad data detection (BDD) schemes [5,6] designed to detect random outliers in the 
measurement data. Such schemes are based on high measurement redundancy and are performed at the end of the 
state estimation process. Although such methods may detect basic cyber attacks on the measurements, they may 
fail in the presence of a more intelligent attacker. It is well known that for so-called multiple interacting bad data, the 
BDD system can fail to detect and locate the faulty measurements, see [5,6]. That an attacker can exploit this fact 
has been pointed out in several recent papers, see [7,8,9]. For example, it has been shown that an attacker with access 
to a model of the network systematically can search for, and often find, simple undetectable attacks. Returning to 
Fig. 1, this means it is possible to compute data corruptions a to measurements z that will not generate alarms in 
the control center. Such corruptions are called stealthy deception attacks. 

In the work [7,8,9], it is assumed that the attacker has a linear accurate model of the power grid, and undetectability 
of the corruption a is proven under this assumption. The real power network is nonlinear, however, and a nonlinear 
model is also typically implemented in the SE. Therefore, it is not clear how a real SE will react to these stealthy 
deception attacks. For example, how large can a be before the SE does no longer converge? In [10], we have quantified 
how the SE residual can be bounded based on the model error, but no tests on an actual system were performed. 

The main contribution of this paper is to test how sensitive a state-of-the-art SCADA system SE is to stealthy 
deception attacks. Maybe somewhat surprisingly, for the cases we have studied, the attacks indeed pass undetected 
for very large corruptions a. However, our analysis also shows that it is possible to make these attacks much more 
difficult to perform by allocating new sensors, or by securing some of them. Secure sensor allocation has also been 
discussed in [9,11]. 

The outline of the paper is as follows. In Section 2 we present the theoretical concepts behind state estimation in 
power networks. Results from previous work are used in Section 3 to develop the analysis framework and some novel 
considerations regarding limitations of linear attack policies are also given. Section 4 contains the main contribution 
of this paper, the description and results of practical experiments conducted in a state-of-the-art SC ADA/EMS 
software using the previously mentioned framework. The conclusions are presented in Section 5. 



2 Preliminaries 



In this section we introduce the power network models and the theory behind the SE and BDD algorithms. 
2.1 Measurement model 

For an N— bus electric power network, the n = 2N — 1 dimensional state vector x is (8 T ,V T ) T , where V = 
(Vi, . . . , V/v) is the vector of bus voltage magnitudes and 9 = (6> 2 , . . . , N ) vector of phase angles. This state vector is 
the minimal information needed to characterize the operating point of the power network. Without loss of generality, 
we have considered bus 1 to be the reference bus, hence all phase-angles are taken relatively to this bus and 
6i = 0. The m— dimensional measurement vector z can be grouped into two categories: (1) Zp, the active power 
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flow measurements from bus i to j and active power injection measurement Pi at bus i, and (2) zq, the reactive 
power flow measurements Qij from bus i to j, reactive power injection measurement Qi and Vi voltage magnitude 
measurement at bus i. The neighborhood set of bus i, which consists of all buses directly connected to this bus, is 
denoted by iVj. The power injections at bus i are described by 

Pi = Vi J2jeN, V j ( G ij c°s(%) + Bij sin(%)) 
Qi = Vi J2jem V 3 ( G ij sin (%) - B ij cos(%)) ' 

and the power flows from bus i to bus j are described by 

p ij = V?{g sl + g^) - ViVj (g^ cos(%) + sin(%)) 
Qij = -Vf(b si + bij) - ViVj {g i:j sm(6ij) - b tj cos(%)) ' 

where Qij = Qi — Qj is the phase angle difference between bus % and j, g si and b si are the shunt conductance 
and susceptance of bus i, gij and bij are the conductance and susceptance of the branch from bus i to j, and 
Yij = + jBij is the ijth entry of the nodal admittance matrix. More detailed formulas relating measurements z 
and state x may be found in [6]. 

Assuming that the model parameters and the network topology are exact, the nonlinear measurement model for 
state estimation is defined by 

z = h(x) + e, (1) 

where h(-) is the m— dimensional nonlinear measurement function that relates measurements to states and is assumed 
to be twice continuously differentiable, e — (ei, . . . , e m ) T the zero mean measurement error vector, and usually m >• n 
meaning that there is high measurement redundancy. Here are independent Gaussian variables with respective 
variances of indicating the relative uncertainty about the i— th measurement and thus we have e ~ 7V(0, R) where 
R = diag(cr^, . . . , <7^J is the covariance matrix. 

2.2 State Estimator 

The basic SE problem is to find the best n-dimcnsional state x for the measurement model (1) in a weighted least 
square (WLS) sense. Defining the residual vector r(x) = z — h(x), we can write the WLS problem as 

r 9SL J ( a; ) = \r{x) T R^rix) 

(2) 

such that g(x) = ^ ' 

s(x) < 0, 

where the inequality constraints generally model saturation limits, while the equality constraints are used to include 
target setpoints and to ensure physical laws such as zero power injection transition buses, e.g., transformers, and 
zero power flow in disconnected branches. Thus data used in the equality constraints is often seen as pseudo- 
measurements. For sake of simplicity, we will present the solution to the unconstrained optimization problem. More 
detailed information on the solution of (2) may be found in [6] and [5]. 

The unconstrained WLS problem is posed as 

^ J ^ = \r{xf R- X r{x). 

The SE yields a state estimate x as a minimizer to this problem. The solution x can be found using the Gauss-Newton 
method which solves the so called normal equations: 

(H T (x k )R- 1 H{x k )) (Ax k ) = ff T (x fe )i?- 1 r(a;' c ), (3) 
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for k = 0, 1, . . ., where 

is called the Jacobian matrix of the measurement model h(x). For an observable power network, the measurement 
Jacobian matrix H{x k ) is full column rank. Consequently, the matrix (H T (x k )R~ 1 H(x k )) in (3) is positive definite 
and the Gauss- Newton step generates a descent direction, i.e., for the direction Ax k = x k+1 — x k the condition 
VJ(x k ) T Ax k < is satisfied. 

Remark 1 Henceforth we consider the covariance matrix R to be the identity matrix, i.e., all measurements have 
unitary weights. The framework and results presented in the next sections can be easily extended to the more general 
case, see [10]. 

For notational convenience, throughout the next sections we will use H{x k ) as H, Ax k as Ax, and r(x k ) = z — h(x k ) 
as r. 



2.3 Decoupled State Estimation 



A useful observation in electric power networks is that of active- reactive decoupling, i.e., the active measurements 
zp (resp. reactive measurement zq) predominantly affect the phase angles (resp. the voltage magnitudes V). 
In the decoupled state estimation, the approximate values of the corrections AO and AV are then not computed 
simultaneously, but independently [12]. 

Following (3), the correction to state estimate Ax = (A0 T , AV T ) T at each iteration can be obtained from the 
weighted measurement residual r = (rj,, rg) T as the solution to the overdetermined system 

H Pe H PV \ fA6\ = frp\ 
H Q g H QV ) \Av) \r Q ) ' 

where the submatrices Hpg and Hpy correspond to active measurements and Hqq and Hqv correspond to reactive 
measurements. The traditional version of fast decoupled state estimation is based on the following decoupled normal 
equations, where the coupling submatrices Hpy and Hqq have been set to zero: 

A6 k = H P9 r P (e k ,V k ), 
AV k = H QV r Q (6 k ,V k ). 

Equations (5) are alternately solved for A9 k and AV k , where the mismatches r P and rq are evaluated at the latest 
estimates. The submatrices Hpg and Hqv are evaluated at flat start and branch series resistances are ignored in 
forming Hpg. By flat start we mean the power network's state in which all voltage magnitudes are 1 pu and all 
phase angles are 0. 



2.4 Bad Data Detection 



The measurement residual when random bad data is present is characterized as follows. Assume there are no 
measurement errors, i.e. z — h{x), and that the SE has converged through the Gauss-Newton method. Recalling 
that r(x) = z—h(x), from (3) we see that the estimate sensitivity matrix is given by |f = (H T H)^ 1 H T . Furthermore, 

we conclude that the weighted residual sensitivity matrix is ^ = I — dh ^ || — I — H(H T _ff) _1 i7 T . Thus for small 
measurement errors e <~ A/"(0, /) we have the following weighted measurement residual 

r = Se, (6) 

where S = I - H(H T H)~ X H T . 



Through BDD the SE detects measurements corrupted by errors whose statistical properties exceed the presumed 
standard deviation or mean. This is achieved by hypothesis tests using the statistical properties of the weighted 
measurement residual (6). We now introduce one of the BDD hypothesis tests widely used in practice, the largest 
normalized residual test. 
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2.4-1 Largest normalized residual test 



From (6), we note that r ~ 7V(0, fi) with il = S. Now consider the normalized residual vector 

r N = D -l/2 r) (7) 

with £) G l mxra being a diagonal matrix defined as D — diag(fi). In the absence of bad data each element 
rf , i = 1, . . . ,m of the normalized residual vector then follows a normal distribution with zero mean and unit 
variance, rf <~ Af(0, 1), Vi = 1, . . . , m. Thus, bad data could be detected by checking if rf follows Af(Q, 1). This can 
be posed as a hypothesis test for each element r^ 

H :E{r?}=0, H 1 :E{|rf r |)}>0. 

For this particular case, as shown in [5], the largest normalized residual (LNR) test corresponds to a threshold test 
where the threshold r is computed for a given false alarm rate and H is accepted if 

p- 1/2 r||oo < r, (8) 

and rejected otherwise. 

3 Stealthy deception attacks 

Using the theory and models described in the previous section, we present the framework used throughout the next 
sections to study the cyber security of SCADA EMS software and algorithms. 

3.1 Attacker Model 

The goal of a stealthy deception attacker is to compromise the telemetered measurements available to the SE 
such that: 1) The SE algorithm converges; 2) The attack remains undetected by the BDD scheme; and 3) For the 
targeted set of measurements, the estimated values at convergence are close to the compromised ones introduced by 
the attacker. 

Let the corrupted measurement be denoted z a . We assume the following additive attack model 

z a = z + a, (9) 

where a G M m is the attack vector introduced by the attacker, see also Fig. 1. The vector a has zero entries for 
uncompromised measurements. Under attack, the normal equations (3) give the estimates 

jfc+i = ~ k + ( H T {x k )H(x k ))~ X H T (x k )r a (x k ), (10) 

for k = 0, 1, . . . , where x k is the biased estimate at iterate k, and r a (x k ) := z a — h(x k ). If the local convergence 
conditions hold, then these iterations converge to x a , which is the biased state estimate resulting from the use of z a . 
Thus, the convergence behavior can be expressed as the following statement: 

1) The sequence {x ,^ 1 , . . .} generated by (10) converges to a fixed point x a . 
We will occasionally use the notation x a (z a ) to emphasize the dependence on z a . 

The BDD scheme for SE is based on a threshold test. Thus the attacker's action will be undetected by the BDD 
scheme provided that the following condition holds: 

2) The measurement residual under attack r a := r(x a ) = z a — h(x a ) 1 satisfies the condition (8). 
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Finally, consider that the attacker aims at corrupting measurement i. This means the attacker would like the 
estimated measurement zf := hi{x a (z a )) to be equal to the actual corrupted measurement zf. Therefore, we arrive 
at the following condition which will additionally govern the synthesis of attack vector a: 



3) The attack vector a is chosen such that \zf — zf | = 0. 



The aim of a stealthy deception attacker is then to find and apply an attack a that satisfies conditions 1), 2), and 
3). This problem can be posed as 

find a 

s.t. aegncnu, 1 ' 

where Q is the set of goals in condition 3), C the set of constraints ensuring condition 1) is met and that no protected 
or pseudo-measurements are corrupted, and U the set of stealthy attacks satisfying condition 2). 



3.2 Security Metric 



In general a stealthy attack requires the corruption of more measurements than the targeted one, see [7] and [8]. 
Such requirement relates to the fact that a stealthy attack must have the attack vector a fitting the measurement 
model. 



Considering that the system's state is x* and the attacks are sufficiently small, the measurement model can be 
linearized around x*, obtaining 

z= dh ^\ x ^{x*+c) = H{x*+c), (12) 

where c is the perturbation added to x* . Previous results show that the class of stealthy attacks for this linear model 
is characterized by a G Im(H), which is equivalent to have a = He, for some c ^ 0. Based on this linear model, we 
present a security metric a k for each measurement k. This metric corresponds to the minimum cost of a valid attack 
satisfying (11) and targeting to corrupt measurement k by adding it one unit, i.e., a k = 1- It is computed by solving 
the problem 

a k =min||a|| 

(13) 

s.t. aegncnu , 

where here a G Q corresponds to having a k = 1, a G C to aj = , Vi if measurement i is a pseudo-measurement, and 
a G U to a G Im(H). Note that || • ||o is a pseudo-norm corresponding to the cardinality, i.e., number of non-zero 
entries, of the argument. Hence the cost a k corresponds to the minimum cardinality of a valid attack a, i.e., the 
minimum number of sensors needed to be corrupted. 



This metric can also be extended to cases where by compromising a single measurement, the attacker gains access to 
other measurements without additional cost. For a more detailed discussion on this metric and efficient algorithms 
to compute it, see [11]. 



3.3 Limitations of Linear Policies 



In this section we comment on the limitations of the linear attack policies described in Section 3.2. Recall that the 
core of the linear policies is to have a G Im(i7). Two main limitations arise from this policy, one related to the fact 
that H is obtained for given operating conditions and the other related to saturation limits not considered by the 
linear measurement model (12). We briefly discuss about these limitations. 



3.3.1 Varying operating conditions 



The power network is a dynamical system and its state is frequently changing. Thus it might be the case that the 
attacker has previously obtained a linear model H for a state x and the attack is performed only when the system is 
in a different state x* where the linear approximation is H. Hence for small attack vectors or for cases where x* ~ x, 
the residual will be small and the attack may pass undetected. For larger attacks, however, this might not hold. 
These scenarios can be analyzed using the framework presented in [10], where it is considered that the attacker has 
an inaccurate model H. 
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One interesting fact to observe is that, under certain assumptions, the attack vector a and the security metric a will 
be the same, independently of the system's state. We now present a useful lemma and the required assumptions and 
formulate this result. 

Lemma 1 Consider an optimal attack a* that is undetectable with respect to H, i.e., a* € lm(H) and has minimum 
cardinality. Denote by U the set of measurements not affected by a* , i.e., a* = \/i e U and a* ^ Vi ^ U . Let the 
Jacobian matrix be partitioned as H = \H~y H^y . Recalling that n is the number of states and that rank(if) = n, 
then rank(iJ^) = n — 1, and for every i $ U we have Tank(H Uu ^) = n. 



PROOF. Sec [11]. ■ 

Assumption 1 For any measurement element Zi we have 9h g^. - = if and only if dh g^ = 0, for all j = 1, . . . , n. 

Proposition 2 Denote J- as the set of power flow measurements. Consider H = Hpe{9)\g = g* , H — Hpe{0)\g = g, 
and let a be a stealthy deception attack vector with respect to H. Denote the set of measurements not corrupted by 
a as U . Then for all the line parameter perturbations and state changes from 9* to 9 that satisfy Assumption 1 and 
do not affect measurements j G J (1 (7, we have that a is also a stealthy attack with respect to H. 



PROOF. In the following we consider the matrix Hp® and use H instead to simplify the notation. We consider 
a perturbation in the linear model, e.g., due to varying operating conditions, such that for a measurement k e T 
corresponding to a transmission line we have Hk = bHk ■ Let us denote the buses at the two ends of the transmission 
line by k\ and ki. For the power injection at bus k\ (closest to measurement k) we have Hk 1 = Hk 1 + (b — l)Hk, 
for bus ki we have Hk 2 = Hk 2 — (b — l)Hk- In the following we show that if k e T n U, then for every a € lm(H) 
there is a G Im(_ff) such that a = a. Since this also holds for minimum cardinality attack vectors, we have that the 
security metric a is the same for both linearized models. 

For the case when k G U we can prove the proposition by performing elementary row operations on Hjj. If k\ € U 
we subtract (b — l)/bHk from Hk 1 . We proceed similarly for fc 2 . Finally, we divide Hk by b. Clearly, after these 
operations we obtained Hjj, which, following Lemma 1, proves that rank(_ff[/) = n — 1. Observe that since we used 
elementary row operations, the kernel of Hjj is the same as that of Hjj. Consequently, the same attack vectors can 
be used despite the perturbation of the model, i.e., a € Im(iJ) (~l Iva{H). ■ 



Hence we conclude that if the state or parameter perturbations do not affect power flow measurements compromised 
by the attack before the change, then the same attack vector is still valid after the parameter or state change. 
Note that this is ensured if the measurements affected by the parameter change are far from the region of the 
network where the attack is performed. Thus this indicates that attacks can be performed locally in the power 
network. Additionally, in this case the security metric is the same for both linearized models and there is no need 
to recompute it again for the different state. 

3.3.2 Saturation limits 

The linear measurement model (12) is obtained by linearizing the nonlinear model (1) at a given state x* and so the 
linear model only approximates well the nonlinear one in a region close to x* . Furthermore, the more nonlinear the 
function is around x* , the smaller is the region where the approximation is valid. This fact is particularly important 
when the saturation occurs. From considering (12) alone we do not have any limits on the size of a = He. However, 
the nonlinear model clearly shows that the measurements have saturation limits. For instance, disregarding the line 
and shunt conductances gij and g S i we have Pjj = —ViVjbij sin(#jj), where we see that the theoretical maximum for 
this power flow is given by Pij = —ViVjbij. Hence for a stealthy attack it is not enough to require that a G lm(H) 
but it is also essential to impose saturation limits on the attacked measurements. These limits could be formulated 
as inequality constraints and included in the set of constraints C, in general reducing the set of valid attacks. 
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Fig. 2. Power network considered in the experiment, where the gray and brown colors represent unenergized and energized 
objects, respectively. 

4 Experiments on the SCADA EMS system 

During the previous sections we have mentioned recent work where the authors analyzed stealthy deception attacks 
on SE based on linearized models. However, the results obtained so far do not clarify how sensitive the real SCADA 
EMS software is to these attacks or if a system operator should even care about these scenarios. In this section we 
present the results obtained by carrying out a stealthy deception attack on a real SCADA EMS software. We hope, 
by analyzing these results, to answer the previous open questions and also to provide recommendations to increase 
the security of SCADA EMS software against deception attacks. Before analyzing the results, we briefly describe 
the experimental setup. 

4-1 Experimental Setup 

The software was supplied with the virtual network presented in Fig. 2, similar to the IEEE 39 bus network. The 
power network in Fig. 2 consists of 14 substations and the bus-branch model has 27 buses and 40 branches. Several 
measurements are available at each substation, such as voltage magnitudes, active and reactive power flows and 
injections, and transformer tap change positions. This data is kept in the software database. We have used a console- 
based static network simulator to carry out the data corruption by directly changing the measurement data in the 
database. The presented results thus relate to data corruption attacks and the consequences of such attacks on the 
EMS software components. 

Specific EMS components, such as SE and BDD, are configured with unitary weights for all the measurements. The 
SE solves the nonlinear weighted least-squares problem using the fast-decoupled algorithm with equality constraints, 
while the BDD algorithm uses the LNR test. Both approaches correspond to standard algorithms presented in 
Section 2. 

As described in previous sections, some information about the power network is needed to compute stealthy deception 
attacks. Here we consider a particular class of such information, namely the bus-branch model of the network. In this 
experiment, we exported this information to MATLAB using the MATPOWER toolbox, [13]. A simplified attack 
was considered in which only the DC model of the network was used. This corresponds to including only active 
power measurements in the set of corrupted measurement data, disregarding the reactive measurements, not taking 
into account the current operating state of the system, not the coupling between the active power and the voltage 
magnitudes, and not the line conductances or the shunt admittances. Hence all voltage magnitudes were assumed 
to be 1 pu and the phase-angles 0. Only a simplified version of the Hpg submatrix in (4) was used, hereby denoted 
Hdc- 

The algorithm in [11] was used to compute the security metrics for each measurement. Information regarding which 
measurements were assumed to be tamper- proof was taken in account. Such measurements correspond to pseudo- 
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measurements, which are considered as equality constraints in the optimization problem, and are often based on 
physical principles, see [5]. 

The result is presented in Fig. 3. Given the current configuration of the SCADA EMS, specifically which measure- 
ments are available, we computed the security metric ak (the red full circles) as defined in Section 3.2. We see that 
the result is very heterogeneous, since around a third of the measurements has low values between 3 and 4, another 
third has values between 6 and 10, and others, which are not depicted, have values greater than 20 or even a% — oo. 
Recalling that is the minimum number of measurements needed to perform a stealthy attack on measurement k, 
we conclude that measurements with low ak are easily attacked while the ones with a k = oo are fully protected. 

Increasing the redundancy of the system by adding more measurements to the SCADA system increases the security 
level, as we see by looking at how is larger than o^. However, note that this does not guarantee full protection, 
as all measurements with finite ak still have finite 
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Fig. 3. Security metrics for each measurement k: ak (red full circles) was computed taking in account which measurements 
are available in the SCADA EMS, while oik (blue rings) was computed assuming that all possible measurements are being 
taken. Both represent the minimum number of measurements needed to perform a stealthy attack on the target measurement 
ft. 



4-2 Attack Scenario 

To conduct our experiment we considered measurement number 33, corresponding to the active power flow on the 
tie-line between TROY and BLOO substations, to be the target measurement. This means that the attacker's goal 
is to change this power flow measurement value as he/she wishes. In order to do so without being detected, the 
attacker needs to perform a coordinated attack in which he/she corrupts the value of other power measurements. 
Following the framework presented in Section 3, the set of such malicious changes is encoded in the attack vector 
a, which is then added to the true measurement vector z. The corrupted measurement vector z a = z + a is the one 
used by the SE. 

Using Hoc, we computed the additive normalized attack vector required to stealthily change the target measurement 
by 1 MW, presented in Table 1. As seen in Fig. 3, such attack only corrupts 7 measurements in total, which are 
taken from 5 substations, namely TROY, BLOO, JUNE, MONR, and CROS, all situated in the right side of Fig. 2. 
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Fig. 4. Stealthy deception attack 

Table 2 

Results from the stealthy attack for large bias 

Target bias, False value Estimate #BDD #CA 
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Hence we see that to stealthily attack a single measurement, a local coordinated attack suffices, even for such a 
large system. Additionally, as discussed in [11], note that usually all measurements within a given substation are 
gathered at a single RTU. This means that by breaking into the substation's RTU the attacker gains access to all 
those measurements, so we can argue that although 7 measurements need to be corrupted, only 5 RTU's need to be 
compromised. 

4-3 Experimental Results 



The normalized attack vector a, whose non-zero entries are shown in Table 1, was used to corrupt the measurement 
data according to the attacker's objective. For instance, in Table 1 we can see the correct value of the compromised 
measurements, denoted by z* , and the false values sent to the control center, z a , when the objective was to induce 
a bias of 100MW in the target measurement, having z a — z* + 100a. 

In Fig. 4 we show the results obtained by performing stealthy deception attacks as described before and naive decep- 
tion attacks where only the target measurement is compromised. In both cases, the bias in the target measurement 
was sequentially increased by 10MW at each step. From these results we see that the naive attack was undetected 
up to a bias of 20MW, while for bias above 30MW this attack was detected and the compromised measurement 
removed. The coordinated stealthy attack, however, remained undetected for all the bias values showed in the figure. 
Furthermore we see that the naive attack did not influence the estimate as much as the stealthy one, for which the 
relationship between the false and the estimated values is an almost unitary slope. 

Table 2 shows the results obtained for large bias, where the attacks were performed sequentially with steps of 50MW. 
We observe that the stealthy attacks were successful with no BDD alarm triggered up to a bias of 150MW, beyond 
which the SE no longer converged. 

Although the SE did not converge for attacks above 200MW, it is still surprising to see that attacks based on the 
linearized model as large as 150MW are successful. To better understand what such quantity indicates, note that 
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the nominal value of the targeted tie-line is 260MW. Thus the attack was able to induce a bias of more than 50% of 
the nominal value, which reveals that the SCADA EMS software is indeed sensitive to stealthy deception attacks. 
Furthermore, notice that the number of warnings given by the CA component increase with the size of the attack. 
Whether or not this trend is related to the fact that the coupling terms have been neglected is still a matter for future 
analysis. Nevertheless, note that the increased number of CA warnings could lead the operator to take corrective 
actions. Therefore, we conclude that operators and utilities should care about these scenarios. 

We also want to highlight that these results were achieved with a simplified linear model where several parameters, 
including the correct operating conditions and cross-coupling effects between active and reactive measurements, were 
disregarded. However in these scenarios we assumed the attacker had a large amount of resources such as a rather 
detailed knowledge regarding the network model, the available measurements, and the pseudo-measurements, and 
access to several RTUs. Most likely, an attacker with such resources could perform more devastating attacks on the 
power network than the ones considered here. 

5 Conclusions 

In this paper we presented a comprehensive framework to analyze and study a class of stealthy deception attacks 
specifically targeting the SE component of SCADA EMS software through measurement data corruption. This 
framework provides attacker and attack cost models, possible attack synthesis policies, and system security metrics. 
The system security metric can be used by the utility to strengthen the security of the system by allocation of new 
sensors. Some limitations of the linear attack policies were briefly discussed. To validate this framework, we conducted 
a set of deception attacks to a state-of-the-art SCADA EMS software. The results obtained by this experiment show 
that computations based on linear models of the system provide valid attacks that successfully corrupt the target 
measurements without triggering any BDD alarms. The results also indicate that linear models can be used for 
large attacks as well, although otherwise expected. Additionally, we showed that besides the measurement model, 
information concerning pseudo-measurements and saturation limits is needed for a successful stealthy attack. This 
study also shows that improved BDD schemes and methods to ensure measurement and data protection are desirable. 
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